Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Imgur Confirms 2014 Breach of 1.7 Million User Accounts

Researcher Troy Hunt is credited for tipping image sharing site Imgur off to a 2014 breach of 1.7 million user accounts.

Popular image sharing community Imgur said last week it was the victim of a data breach in 2014 that exposed 1.7 million user accounts. In a breach notice posted to its website last Friday, the company said users are being notified via email that they must update their passwords immediately.

“On the afternoon of November 23rd, an email was sent to Imgur by a security researcher who frequently deals with data breaches. He believed he was sent data that included information of Imgur users,” according to a blog post by Roy Sehgal, chief operating officer for Imgur.

Sehgal said compromised account information included only email addresses and passwords. “Imgur has never asked for real names, addresses, phone numbers, or other personally-identifying information,” he said.

On November 23, we were notified about a data breach on Imgur that occurred in 2014. While we are still actively investigating the intrusion, we wanted to inform you as quickly as possible as to what we know and what we are doing in response. More: https://t.co/qElAetGVIc

“I can say that 1.7 million is a small percentage of our total user accounts today,” Sehgal told Threatpost. He said Imgur does not disclose the number of user accounts, but said Imgur reaches 250 million users a month.

Password data stored with Imgur is encrypted, according to the company. However, Sehgal said at the time of the breach the company used the older SHA-256 hashing algorithm, likely increasing the odds the passwords had been cracked via a brute force attack. Since 2014, Imgur has updated how it encrypts user PII and today uses Bcrypt, a password hashing function based on the Blowfish cipher.

Researcher Troy Hunt, who runs the data breach repository HaveIBeenPwned.com, is credited for tipping Imgur off to the breach. Hunt, in a tweet, lauded Imgur for its speedy handling of the breach notification. According to Sehgal, Hunt sent Imgur “flat text file with email address and passwords.”

“I want to recognize @imgur‘s exemplary handling of this: that’s 25 hours and 10 mins from my initial email to a press address to them mobilizing people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos!,” Hunt wrote via Twitter.

I want to recognise @imgur's exemplary handling of this: that's 25 hours and 10 mins from my initial email to a press address to them mobilising people over Thanksgiving, assessing the data, beginning password resets and making a public disclosure. Kudos! https://t.co/jV8MDscXLT

Hunt said out that of the 1.7 million passwords and email address pairs he reported to Imgur last week, 60 percent of the passwords and email addresses were already in the HaveIBeenPwned repository.

“Thank you for disclosing this so quickly! Better than a lot of other companies that would rather try to hide and deny it. Thank you for the openness and honesty. :),” wrote one Twitter user that goes by the handle @JaykeBird who was replying to Imgur’s quick disclosure.

Thank you for disclosing this so quickly! Better than a lot of other companies that would rather try to hide and deny it. Thank you for the openness and honesty. 🙂

The breach is just the latest in a long string of breach revelations this year. In September, Equifax disclosed a data breach affecting upwards to 143 million Americans. Last week, ride-hailing service Uber Technologies revealed that the company suffered a breach of 57 million Uber user accounts in 2016.

Unlike Imgur, Uber received heavy criticism for not disclosing more speedily a 2016 breach of 57 million Uber user accounts that included the names and driver’s license numbers of around 600,000 drivers in the US.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.